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High rate locally correctable codes via lifting 

Alan Guo * 



Abstract 



We present a general framework for constructing high rate error correcting codes that are 
locally correctable (and hence locally decodable if linear) with a sublinear number of queries, 
based on lifting codes with respect to functions on the coordinates. Our approach generalizes the 
lifting of affinc-invariant codes of Guo, Kopparty, and Sudan and its generalization automorphic 
lifting, suggested by Ben-Sasson et al, which lifts algebraic geometry codes with respect to a 
group of automorphisms of the code. Our notion of lifting is a natural alternative to the degree- 
lifting of Ben-Sasson ct al and it carries two advantages. First, it overcomes the rate barrier 
inherent in degree-lifting. Second, it is extremely flexible, requiring no special properties (e.g. 
linearity, invariance) of the base code, and requiring very little structure on the set of functions 
on the coordinates of the code. 

As an application, we construct new explicit families of locally correctable codes by lifting 
algebraic geometry codes. Like the multiplicity codes of Kopparty, Saraf, Yekhanin and the 
affine-lifted codes of Guo, Kopparty, Sudan, our codes of block-length N can achieve N e query 
complexity and 1 — a rate for any given e, a > while correcting a constant fraction of errors, 
in contrast to the Reed-Muller codes and the degree-lifted AG codes of Ben-Sasson et al which 
face a rate barrier of e ^ 1 '^. However, like the degree-lifted AG codes, our codes are over an 
alphabet significantly smaller than that obtained by Reed-Muller codes, affine-lifted codes, and 
multiplicity codes. 



*CSAIL, Massachusetts Institute of Technology, 32 Vassar Street, Cambridge, MA, USA. aguo@mit.edu. Research 
supported in part by NSF grants CCF-0829672, CCF-1065125, and CCF-6922462, and an NSF Graduate Research 
Fellowship 



Contents 

1 Introduction 3 

1.1 Error correcting codes and locally correctable codes 3 

1.2 Previous work 3 

1.3 Our results 4 

1.4 Comparison of parameters 5 

2 Preliminaries 6 

2.1 Notation 6 

2.2 Terminology 7 

3 Definitions 7 

3.1 Lifting 8 

3.2 Double transitivity 8 

4 Distance of lifted codes 9 

5 Correction algorithms 11 

5.1 One-shot correcting 12 

5.2 Fractal correcting 12 

6 Base codes 13 

6.1 Reed-Solomon code 13 

6.2 Hermitian code 13 

6.3 Hermitian tower 14 

6.3.1 Constructing endomorphisms 15 

6.3.2 Closeness to double transitivity 16 

7 Explicit Constructions 17 

7.1 Lifting the Hermitian code 17 

7.2 Lifting the Hermitian tower 20 

7.2.1 Warm up: lifting from the 3rd level 21 

7.2.2 Beyond the 3rd level 22 

8 Conclusion 24 



1 Introduction 

We present a general framework for constructing long locally correctable codes from short base 
codes via the operation of lifting. Our notion of lifting generalizes afhne lifting, automorphic 
lifting, and high-degree sampling defined in previous works, and we use it to obtain new explicit 
high rate locally correctable codes by lifting certain algebraic geometric codes. 

1.1 Error correcting codes and locally correctable codes 

We begin with some coding theory preliminaries. A code C of block length N over an alphabet R 
is a subset of R N . Elements f € C are codewords. Typically £ is used to denote the alphabet, but 
we use R because it is helpful to think of a codeword / not as a vector in R , but as a function 
/ : D —J- R (D for domain, R for range), where we identify D with [N] = {1, . . . , N}. Typically one 
thinks of C as the image of some encoding map Enc : Rq — > R which injectively maps if-symbol 
messages over an alphabet Ro to TV-symbol codewords (here Rq may be different from it!). The 
rate of the code C is K/N, which measures the efficiency of our encoding. We want to make K/N 
as large as we can. Another important parameter of a code is the minimum pairwise distance 
between distinct codewords. The (Hamming) distance between two words f,g€ R N is the number 
of coordinates in which they differ, i.e. 

A(f,g)±{ie[N]\x i ^y i }. 

The distance A(C) of C is simply min{A(/, g) \ f,g € C, f / g}. We want A(C) to be as large as 
possible. We often look at the normalized distance S(f,g), which is simply j^A(f,g), and similarly 
5(C) = j,A{C). 

The motivation behind error correcting codes is to make information robust to noise. The 
original message m € Rq is encoded into some codeword Enc(m) € R . Noise may corrupt some 
symbols of Enc(m), resulting in a new word r € R N , the received word. The number of symbols 
corrupted is exactly A(Enc(m),r). If the number of errors is small, say less than A(C)/2, then 
Enc(m) is the unique codeword in C within Hamming distance A(C)/2 of r, and one can uniquely 
decode r to get m, since Enc is injective. 

To decode a received word, it may be necessary to examine the entire word. In some settings, 
the received word is prohibitively large, and one wishes only to decode one symbol of the message. 
Codes with which one can do this by querying only a small number of symbols of the input are 
known as locally decodable codes. A related concept is the notion of locally correctable code. Such 
a code allows one to correct a symbol of the codeword (rather than a symbol of the message) by 
querying only a few symbols of the input. The main parameters of interest are the rate and the 
query complexity, or locality, the number of symbols queried to recover a single symbol. These 
codes are the focus of this work. We formally define these notions in Section 2. 

1.2 Previous work 

Until recently, there were no known locally correctable codes with sublinear query complexity 
and rate greater 1/2. The Reed-Muller code was the first locally correctable code, with the first 
correction procedure proposed by Reed [9], which happened to be a local correction procedure. The 
m-variate Reed-Muller over ¥ q with degree parameter r consists of all m-variate polynomials of 
total degree less than r. More precisely, a codeword is the list of evaluations of such a polynomial 



on all points of F™. The idea behind the local correction procedure is to pick a random line passing 
through the point whose value we wish to correct, view the restriction of the polynomial to the line 
as a corrupted Reed-Solomon codeword, and use a Reed-Solomon decoding algorithm to correct the 
value on the line. For any e > 0, the Reed-Muller codes can achieve query complexity N e by taking 
m = 1/e and N = q m . Unfortunately, the m-variate Reed-Muller code with positive distance (by 
taking r to be a constant fraction of q) can never exceed 1/m! in rate. This certainly never exceeds 
1/2. 

The recent work of Kopparty, Saraf, and Yekhanin [7] introduced the first locally correctable 
codes that can achieve rate greater than 1/2, and in fact can achieve any rate arbitrarily close to 1. 
More precisely, for any e, a > 0, the multiplicity code can achieve query complexity N e and rate 
1 — a while correcting a constant fraction of errors. One may view multiplicity codes as a variant of 
Reed-Muller codes, where each codeword consists of evaluations of a low-degree polynomial along 
with its partial derivatives. 

An alternative to the multiplicity codes are the lifted Reed-Solomon codes of Guo, Kopparty, 
and Sudan [5]. These are yet another variant of Reed-Muller codes -- more precisely, they are 
supercodes of Reed-Muller codes with vastly greater dimension but the same distance. The main 
idea behind lifted codes is the notion of "lifting" - an operation first introduced in [2] to prove 
negative results in property testing. Essentially, the lifting operation takes a short base code 
C C {Fg -> Fq} and "lifts" it to a longer code C C {F™ ->■ ¥ q }, for m > t, such that codewords of 
C are those / : F™ — > ¥ q whose restriction to every ^-dimension affine subspace is a codeword of C. 
Guo et al [5] obtain locally correctable codes with query complexity N e and rate 1 — a by lifting 
the Reed-Solomon code. Our work generalizes this notion of lifting. 

The work of Ben-Sasson et al [1] presents another way to build long locally correctable codes 
from short base codes via the "degree-lifting" operation. Degree-lifting abstracts the process of 
obtaining the Reed-Muller codes from the Reed-Solomon code and applies it to algebraic geometry 
codes. By degree-lifting certain algebraic geometry codes, such as the Hermitian code, Ben-Sasson 
et al obtain locally correctable codes with Reed-Muller-like properties but significantly smaller 
alphabet. Unfortunately, degree-lifting faces the same rate barrier that the Reed-Muller codes 
face, for essentially the same reason. Two key contributions of [J] which we use in our work are 
the notions of a group being "close" to doubly transitive, and the fractal correction algorithm. 
In particular, a conceptual contribution of [1] is the observation that the "uniformity" of the 
automorphism group of an algebraic geometry code yields good local correctability properties. Our 
work generalizes this observation. Ben-Sasson et al also suggests the idea of "automorphic lifting", 
a natural generalization of the affine lifting of [ ] to apply to algebraic geometry codes. Our work 
further generalizes this idea. Moreover, our notion of lifting encapsulates the notion of high-degree 
sampling used in [1] as well. The idea of high-degree sampling is to restrict not to automorphisms, 
but to "high-degree views" . For instance, instead of restricting to lines to decode the Reed-Muller 
code, one may restrict to curves parametrized by quadratic equations. 

1.3 Our results 

In this work, we introduce a lifting framework which abstracts the lifting operation used by [5] 
and the automorphic lifting suggested by [1] as well as the high-degree restrictions used by [1]. 
Our framework applies to arbitrary codes and arbitrary sets of functions (as opposed to invariant 
codes under some group of (generalized) automorphisms). In particular, unlike the degree-lifting 
operation of [1], our lifting operation does not require an algebraic notion of "degree". Informally, 



our lifting operation is denned as follows. Let $ be a set of functions from D —?■ D. The m-variate 
lift of C C {D — > R} with respect to 3> is the code whose codewords are those / : D m — > R such 
that the univariate function f(a\(x), . . . , a m (x)) is a codeword of C for all (cri, . . . , a m ) G <I>"\ For 
affine-lifting, the domain is D = ¥ q and <£ is the group of affine permutations on ¥ q , and in [5] the 
base code is taken to be affine-invariant. More generally, for automorphic lifting, $ is some group 
of automorphisms on D under which C is invariant. Our definition of lifting requires neither C to 
be ^-invariant, nor even $ to be a group. 

A conceptual contribution of our work is to show that if $ is sufficiently close to uniform in 
the sense of Ben-Sasson et al [1], then this suffices for the lift to have good distance and be locally 
correctable. We show that there is nothing essential about the symmetry of the base code under 
<&, nor the fact that $ is a group. Thus, designing good lifted codes "merely" involves choosing a 
good set <3? with respect to which to lift. On the one hand, including too many functions in <I> kills 
the rate of the lifted code, since every function adds a constraint on the lifted code. On the other 
hand, including too few functions in <3? kills the distance of the lifted code, since we want enough 
functions in $ to make it "close" to doubly transitive. 

As an application, we construct two explicit families of locally correctable codes via lifting. The 
first family arises from lifting the Hermitian code, the algebraic geometry code that [1] degree-lift. 
We obtain high rate locally correctable codes similar to the lifted Reed-Solomon codes, except 
over a significantly smaller alphabet. Our second construction is actually an infinite collection of 
families arising from lifting levels of the Hermitian function field tower, which was used in [10] in 
the context of classical error correcting codes, and in [6] in the context of list decoding. Our $ in 
this case is not a group and consists of high-degree maps, yet the lifts still achieve high rate. 

Though our explicit constructions use algebraic geometry codes as base codes, our exposition 
is elementary and self-contained. Invoking the language of algebraic function field theory is only 
necessary to prove the properties of the base codes; the properties themselves can be stated in 
elementary terms, and we do so. We refer the interested reader who wishes to see the proofs of 
these facts to the book of Stichtenoth [11] on algebraic function fields and codes. 

1.4 Comparison of parameters 

We compare the parameters of the constant rate locally correctable codes found in the literature, 
including the ones constructed in this paper. We start with some easy comparisons. The lifted 
Reed-Solomon code of Guo, Kopparty, Sudan [5] is strictly better than the Reed-Muller code, as it 
is a strict supercode with the same distance. In fact, with m variables over ¥ q , the two codes have 
the same length, alphabet, and query complexity, but the rate of Reed-Muller is bounded above by 
— c (even as its distance goes to 0) whereas the rate of the lifted Reed-Solomon code approaches 1 
as its distance goes to 0. Similarly, the lifted Hermitian code (Theorem 7.1) has the same length, 
alphabet, and query complexity as that of the degree-lifted Hermitian code of Ben-Sasson et al [1], 
but the rate of the degree-lifted Hermitian code is bounded above by -j-j whereas the rate of the 
lifted Hermitian code approaches 1 as its distance goes to 0. 

To compare the various families of high rate locally correctable codes, we normalize their pa- 
rameters. Namely, we fix the block length to N, the rate to 1 — a, query complexity to N e , and 
compare the alphabet size and error correcting rate of each code. The results are summarized in 
the table below. 



Code 


Alphabet size 


Error correcting rate 


Multiplicity [' 


N n((l/e)w>) 


fi(ea) 


Lifted Reed-Solomon [5] 


N e 


a O((2/6)CVeJ log(l/ 6 )) 


Lifted Hermitian (Theorem 7.1) 


iW 3 


a O((8/6)W-; log(l/e)) 



In order for the lifted Reed-Solomon to match the alphabet size of the lifted Hermitian code 
(by taking locality A re ' 3 ), its error correcting rate must become a " e ' e ' /£ lo &( l / € >> which is worse 
than that of the lifted Hermitian code for sufficiently small e. 

In comparison with the multiplicity codes of [7], the lifted Hermitian code achieves a much 
smaller alphabet but also much poorer (though still positive constant) error correction rate. The 
smaller alphabet is not necessarily an advantage, since one can simply concatenate the multiplicity 
codes with a suitably good linear code over an alphabet of constant size and still achieve N e 
locality, 1 — a rate, and constant distance. However, the lifted Hermitian code may outperform the 
multiplicity code in certain concrete settings of parameters. 

Organization. In Section 2 we introduce standard notation and terminology used in the paper. 
In Section 3 we present the key definitions and notions used in the paper, in particular the definitions 
of invariance and lifting. In Section 4 we show that if a set of functions is sufficiently "close to 
doubly transitive", lifting a code with respect to the set yields a code with good distance. In 
Section 5 we show in addition that the lifted codes are locally correctable. We emphasize that 
Sections 3, 4, and 5 apply to arbitrary base codes, not necessarily algebraic or even linear codes. 
In Section 6, we introduce the base codes used in our constructions. We review the Reed-Solomon 
code as a warmup, and then present the Hermitian code and the Hermitian tower code which we 
lift in Section 7 to obtain explicit high rate locally decodable codes with small alphabet size. We 
conclude in Section 8. 

2 Preliminaries 

2.1 Notation 

For integers a < b, let [a, b] denote the the set {a, a + l,a + 2, . . . , b} and let [a] denote [l,a]. 
Throughout the paper, we let $ denote a set of functions mapping D — > D. We assume that 3> 
contains the identity id : D — > D which fixes every element of D. We say $ acts on D. 

Let / : D — > R and let a G <3? where $ acts on D. The function / o a : D — > R is defined by 



(foa)(x) = f(a(x)) 

for all x G D. Let m > 1 and let a = (01, • • • > Cm) G 3 >m - For a function / : D 1 
function f\ a : D — > R by 

(f\cr)(x) = f(ai(x),...,a m (x)) 



R, define the 



for all x € D. For a set $ acting on D and a point u G D m , define the automorphisms passing 
through u to be 



<I>, 



{a € $ m | <7i = id,cTj(ui) = UiMi G [2,ra]}. 



For an event A, let 1a denote the indicator variable for A, i.e. 

(l if A 

I otherwise. 

Let f,g:D—>R. The (relative) distance between f and g, is 

S(f,g) =E xeD [t f{x) ^ g ( x) ]. 

For a collection C C {D —> R} of functions, the distance between f : D —?■ R and C is 

6(f,C)± mm 6(f,g). 

For a code C C {D — > R}, the distance of C is 

5(C) = min 6(f, a) 
y ' f,geC U ' y; 

If q is a prime power, let ¥ q denote the finite field of order q, which is unique up to isomorphism. 

2.2 Terminology 

For an algorithm A and function /, let A.' denote the algorithm A given oracle access to /. 

Definition 2.1 (Locally correctable code). A code C C {D — > R} is (q,r) -locally correctable if 
there exists a randomized algorithm A satisfying the following properties: 

1. A-' makes at most q queries to /; 

2. If there exists g £ C such that 6(f,g) < r, then for every x € D we have A? (x) = g(x) with 
probability at least 2/3 over the randomness of A. 

Definition 2.2 (Locally decodable code). A code C C {D — > R} is (q,r) -locally decodable if C 
is the image of an encoding function Enc : R k — > R D and there exists a randomized algorithm A 
satisfying the following properties: 

1. A? makes at most q queries to /; 

2. If there exists m £ R k such that 5(f, Enc(m)) < r, then for every i e [k] we have A^(i) = mi 
with probability at least 2/3 over the randomness of A. 

For linear codes, local correctability is stronger than local decodability, since one can arrange 
the generator matrix of the code such that the message is part of the codeword. 

3 Definitions 

In this section we give the key definitions in the paper, namely ^-lifting and the notion of a set $ 
being "close" to doubly transitive, which is borrowed from [1]. 



3.1 Lifting 

Definition 3.1. Let $ act on D and let C C {D — > R}. The m-dimensional &-lift of C, denoted 
Lift^(C), is the set 

Lift£(C) = {f :D m ^R\f\ a £C for all a G $ m }. 

We say C C {D — > R} is ^-invariant if whenever / G C and c G <3? we also have f o a & C. 
Notice that Definition 3.1 does not require that C be ^-invariant, or even that $ be a group! Indeed, 
<3?-invariance only ensures us that 

Lifl£(C)=C 

and if in addition is a group, then the lift operation composes: 

Lift^(Liftg(C))=Liftr(C) 

where <I? n acts on D m componentwise, i.e. if <p = (jpi, . . . (p m ) G & m and x = (x±, . . . ,x m ) G D m , 
then tp(x) = (tpi(xi),...,(p n (xn)). 

The affine lifting found in [5] is (almost) an example of our notion of lifting. Take D = R = ¥ q 
and $ to be the group of affine permutations on D, i.e. maps of the form x i— >■ ax + b for a G F* 
6 G Wg. Then Lift^(C) consists of all / : F™ — y ¥ q such that f\^ G C for all lines L that are not axis- 
parallel. The affine-lifted codes in [5] consider every line, including the axis-parallel ones. Though 
we could have defined ^-lifting to properly generalize affine-lifting, we chose our definition because 
it is cleaner to state, makes proofs cleaner, and makes negligible difference in the parameters we 
care about. We point out that one limitation of our definition is that we can only lift a domain D 
to a direct product D m , whereas the affine lifting of [5] allows lifting from F™ to F" for any m < re. 

Though any code can be lifted, our constructions in the paper use linear codes as the base 
code. A code C C {D — > R} is linear if R = F is a field and C is a F-vector space. To argue that 
the lifted code is large, we argue that it has large dimension by showing it contains many linearly 
independent codewords. To do so, we need the following fact, which is straightforward to verify. 

Proposition 3.2. If C is linear overF, then so is Lift^(C). 

3.2 Double transitivity 

Now we define the notions of "closeness" to double transitivity that we will work with. There are 
two such notions, taken from [1]. 

Definition 3.3. A set $ acting on a set D is doubly transitive if it is transitive on pairs in <3?, i.e. 
for every x\ / X2 G D and y\ ^ yi G D, there exists a G $ such that a(x\) = y\ and <j(x-i) = yi- 

Definition 3.4 ([.!]). A set <£ acting on a set D is (e,a)-doubly transitive if, for every x±,X2 G D, 
for at least 1 — e fraction of points x G D, the random variable o~(x) is uniformly distributed on 
1 — a fraction of D, where a is chosen uniformly from the set {a G $ | a(xi) = £2} = &( Xl ,x 2 )- 



When $ is a group acting transitively on D, double transitivity is equivalent to I -r^r, I -double 

transitivity (see [1, Lemmas 6.8, 6.9]). Indeed, given x±, xi G D, for every point x 7^ x±, the random 
variable cr(x) is uniformly distributed on D, when a is drawn from those mapping o~{x{) = x%. 
However, a{x\) itself will always equal X2- 



Example 3.5. Let D = ¥ q and <L> = {x ^ ax + b \ a G F*, b G FJ. Then $ is (±, 0)-double 
transitive. This follows from the fact that <3? is doubly transitive on D. Another way to see this 
is to note that, given x\,X2 G D, o~{x\) = x^ implies a{x) = a{x — x\) + X2 for some a G F*. 
Therefore, for every x ^ x\ and every y G ¥ q , there exists a unique a such that cr(x) = y, namely 
the one with a = (y — X2){x — xi) -1 . 

The second notion of "closeness" to double transitive involves distributions that are statistically 
close to uniform. The precise definition is as follows. 

Definition 3.6. Let pi,P2 be two distributions on D, i.e. YlxeDPi( x ) = Y1x&dP^( x ) = 1 and 
Pi(x),p2(x) > for all iED, The distance between p\ and p2 is 



\\Pi -P2II =™ 



^2pi(x)-^2p2(x) 

x£A xeA 



Definition 3.7 ([:]). A set $ acting on a set D is (a, e)-close to c-steps uniform if, for every x\,X2 G 
D, for at least 1 — e fraction of points x G D, if one uniformly randomly chooses wi, . . . , u> c _i G D 
and o"i, . . . , a c G $ such that cti(xi) = X2 and ^(u^-i) = o"j_i(w;j_i) for 2 < i < c, then the random 
variable a c {x) is a-close to uniformly distributed on D. 

The motivation behind Definition 3.7 is the use of fractal correcting in [1]. Intuitively, one may 
think of f\ a as / restricted to some curve in D m . For simplicity assume m = 2. To correct the 
received word / at a particular point x, the usual approach is to pick a random curve passing through 
x and correct the shorter word / restricted to the curve. Parametrize the curve by (a;, cr(x)). Then 
the condition that the curve passes through x = (xi,X2) is equivalent to a{x\) = X2- If the curve 
samples D uniformly, then with high probability the curve does not contain too many corrupted 
points. If $ is not doubly transitive, however, then random curves may not sample D 2 uniformly. 
The intuition behind fractal correcting is to first pick a random curve u\ passing through x (i.e. 
o~\{x\) = X2), then pick a random point (wi,ai(wi)) sitting on the point, then pick another random 
curve 02 passing through (tt>i,ai(tt>i)) (i.e. 02(^1) = 0*1 (n>i)) an d so on. After c steps, the cth 
curve a c will sample the space nearly uniformly. We elaborate on this in Sections 4 and 5. 

4 Distance of lifted codes 

In this section we show that if C is a linear code with constant positive distance, and the set <I> acting 
on the domain D is nearly doubly transitive, then Lift^(C) has constant positive distance. Our 
lower bound on the distance of Lift$(C) degrades as m grows, but for our purposes m is constant, 
so the distance of the lift is constant as well. We emphasize that the results in this section apply 
to any code C, even non-linear codes. 

We begin by lower bounding the distance of the lift when the set is close to doubly transitive, 
in the sense of Definition 3.4, i.e. when $ is (e, a)-double transitive. 

The following lemma will be used in proving both Theorems 4.2 and 5.1. 

Lemma 4.1. Let $ acting on D be (e,a)-double transitive. Let m > 1 and let f,g€ {D m — > R}. 

Fixx eO m . Then 

o(f,g) 



E, 



«re* B P(/|<r.0|«r)] - e + Q 



(1-q) 



TO— 1 ' 



Proof. Let D' C D be the set of z G -D such that <r(z) is uniform over 1 — a fraction of D, when a 
is chosen uniformly from <3? x , as in Definition 3.4. Note that \D'\ > (1 — e)|.D|. We have 

= ^z^D'^ae<S> x [l/| CT ( z )^g| CT ( 2 )] + E^^/E^g^ l/| CT ( z )^g| CT (z)] 

<5(/,<?) 



< e 



(1 - a)™" 1 



where the final inequality follows from the fact that the last m — 1 coordinates of cr(z) are uniform 
over (1 — a) m_1 fraction of D™" 1 and in the worst case all the disparate points of / and g all lie 
in this subset. □ 

Theorem 4.2. Let C C {D — > R} be a code with distance 5, and <J> acting on D is (e,a)-doubly 
transitive. Then J(Lift£(C)) > (1 - a) m - 1 {5 - e). 

Proof. Let /, g G Lift$ (C) be distinct and fix x G D m such that f(x) ^ g(x). By Lemma 4.1, 

8(f,g) 



^a^Mf\<r,g\a)]<e + 

V 1 - ixy 

Therefore, there exists a G § x such that 5(f\ a , g\ a ) < e + (1 _hm-i • But f\ ff {x\) = f(x) ^ 



(1 - a)" 1 - 1 



g(x) -- g\ a {x\), so f\ a and g\ a are distinct codewords of C and hence <5 < e + (1 _ A'm-i , i.e. 
£(/,<?)> (1 - a)™" 1 (£-e). D 

Next we prove a similar result when <I> is close to doubly transitive in the sense of Definition 3.7, 
i.e. is to (a,e)-close to c-steps uniform. First, some straightforward but useful facts. 

Lemma 4.3. // X and Y are independent and X is a-close to uniform over S and Y is (3-close 
to uniform over T, then (X, Y) is a + (3-uniform over S x T. 

Corollary 4.4. If Xi G D is a-close to uniform for each i G [m] and are independent, then 
(Xi, . . . ,X m ) G D m is ma-close to uniform. 

The following lemma will be used in proving both Theorems 4.6 and 5.3. 

Lemma 4.5. Let $ acting on D be (a, e)-close to c-steps uniform. Let m > 1 and let f,g£ {D m — > 
R}. Fix xeD m . Then 

E^e^E^goE^e^^ • • • E^^^^ [<$(/k)0k)] < S(f, g) + e + ma. 

Proof. Let D' C D be the set of z G D such that cr c (z) is a-close to uniform, as in Definition 3.7. 
Note that \D'\ > (1 - e)|D|. Then 

= E zeD E (rie $ :c E lUieI )E (T2e3>cri(uii) • • • E^e^^^j [l/| CTc 0)^ s | CTc ( z )] 

< e + E 2eD /E CTie$;c E WieD E CT2G $ CTi(uji) • • • E^e^^^u,^!) [l/ke (z)? g \„ c (z)] 

< e + 5{f,g) +ma. 



D 
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Theorem 4.6. Let C be a code with distance 5, and 3> is (a,e)-close to c-steps uniform. Then 
5(Lift£(C)) >5 c -ma-e. 

Proof. Let f,g G Lift^(C) be distinct and let r = 6(f,g). Fix x G D such that /(x) / g(x). We 
claim that, for each i G [c], there exists w^i G -D and ctj G ( ^ CTi _ 1 ( Wi _ 1 ) such that 

< E^ 6D E ff . +l6#a . K) •••E ffc63>CTc _ i(Wc _ i) E zeD [l/| CTc (*)^| CTc (z)] < fiiZi • 

We prove the claim by induction. The base case i = 1 follows by taking o"o G & x , wq = xi, and 
noting that, by Lemma 4.5, since 

E^g^E^goE^e^^ . . . E,^^^,!,^ [l/k c M*?kcOd - r + ma + e ' 
there exists o~\ G $ x such that 

E^eoE^e^^ • • • ^ei^^jE^jj [l/| CTc M*?|a c (*)] - r + ma + e " 

Moreover, this expectation is positive because f{x) ^ g{x). Now suppose we have proved the i — 1 
case. The restrictions /| eri _ 1 and fflo-^j are distinct codewords of C (since they disagree at Wi-2) 
and hence for at least J-fraction of u>?,_i G D we have /(<Ti_i(u>i_i)) 7^ ^(o"i_i(i(;j_i)). Restricting 
to these u^-i, we get 

< <J • E (rie#CT ._ iK _ i) E WieI3 E (ri+l6#CT . K) • ••E (rce $ CTc _ i(TOc _ i) E xer) [l/| CTc («)^ s | CTc ( z )j < ^2 

and the claim thus follows. 

From the i = c case of the claim, it follows that there exists a c G $ such that 

n _, rnl -i . r + ma + e 

< E 2eD [1/1^)^1^)] < — ^n — ■ 

Thus f\ a and p| CT are distinct codewords of C, so we have 5 < T+ £ ia i + ' E ■ D 

5 Correction algorithms 

In this section we describe how to locally correct a lifted code, given a decoding algorithm for the 
base code. We present two correcting methods. The first is one-shot correcting, which abstracts the 
local correcting algorithms for Reed-Muller codes and the affine-lifted Reed-Solomon codes of [5], 
and is also used for correcting degree-lifted AG codes in [1]. The idea is to pick a random curve 
passing through the point which we would like to correct, view the restriction of the received word 
to the curve as a received word that should be close to a codeword of the base code, and then 
use the base code decoder to correct the point. The second method is fractal correcting, which 
was introduced by Ben-Sasson et al [1]. The idea is to recursively perform one-shot correcting. To 
correct a point, pick a random curve passing through it. However, now recursively correct each 
point on the curve. If <I> is close to c-steps uniform, then fractal correcting with recursion depth 
c should succeed with high probability. The analysis of the fractal correction algorithm is found 
in [1], but we include a proof here for completeness. We emphasize that, as in Section 4, the results 
of this section apply to arbitrary codes C. 
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5.1 One-shot correcting 

The one-shot correcting algorithm A works as follows. To compute A?(x): 

1. Pick a G $ x uniformly at random. 

2. Use the decoding algorithm for C to correct f\ a to some function g G C. 

3. Output <7(xi). 

Theorem 5.1. LeiC C {D — > i?} 6e a code with distance 8 and suppose <J? is (e, a)-doubly transitive. 
Let C = Lift|?(C). Suppose 

5(f, C) < (1 - a)™" 1 • min{(5/6 - e, (<5 - e)/2}. 

TTien £/iene exists a unique f £ C such that 6(f, f) < 6(f, C) and for any x G D m we have 
A*(x) = f(x) with probability at least 2/3 over the randomness of A. 

Proof. By Theorem 4.2, 6(C) > (l-a) m ~ 1 (5-e). Since S(f, /) < 8(C) [2, /is unique. Fix s G L>"\ 
By Lemma 4.1, 

^e^^l/laJUjJ < e + Ti „w_l ^ e + 



(1 - a)™" 1 ~ (1 - a)" 1 " 1 ' 

By Markov's inequality, with probability at least 2/3, S(f\ a , f\ a ) < 3 ( e + n-aW-i ) < ^/^- Step 2 

of the algorithm finds some g G C such that 5(f\ (T ,g) < 5/2. But both g, f\ a G C and 5(g, f\ a ) < 5, 
so in fact g = f\ a . Therefore, A* (x) = g(x\) = f\ a (x\) = f(x). D 

Corollary 5.2. 7/C C {D — > R} has distance 5 and <I> acting on D is (e,a)-doubly transitive, then 
Lift$ (C) is (q,r) -locally correctable for q = \D\ and r = 0((\ - a) m ~ l (5 - e)). 

5.2 Fractal correcting 

The c-step fractal correction algorithm A c works as follows. To compute A c (x): 

1. If c = 1, output A*(x). 

2. Otherwise, c > 1. Pick a G & x uniformly at random. 

3. Compute /' = A f c ^\ a . That is, for each z G D let f'(z) = A f c ^(a(z)). 

4. Use the decoding algorithm for C to correct /' to some function g G C. 

5. Output g(x\). 

Theorem 5.3. Let C C {D — > R} be a code with distance 5 and suppose <1> acting on D is (a, e)- 
close to c-steps uniform. Let C = Lift$ (C). Suppose 

5(f, C) < min | -(5/2) c - e - ma, (5 C - e - ma)/2 

Then there exists a unique f G C such that 6(f, f) < 6(f, C) and for any x G D m we have 
A c (x) = f(x) with probability at least 2/3 over the randomness of A. 
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Proof. By Theorem 4.6, 6(C) > 6 C — e — ma. Since 6(f, f) < 6(C)/2, f is unique. Fix x € D m . 
For i € [c], let pi denote the average probability that the ith bottom-most level of the recursion 
fails. Our goal is to show that p c < 1/3. We will show in fact that pi < ^(6/2) c ~ l for all j£ [c]. 
By Lemma 4.5, the average of 6(f\ (Tc ,f\ (Tc ) over all a c chosen in the bottom-most level is at most 
6(f, C) + e + ma, so by Markov's inequality with probability at most §(#(/, C) + e + ma) we have 

5(/k,/k) > V2, i.e. Pi < §($(/,£) + 6 + ma) < KW" 1 - 

Now inductively assume pi < g(5/2) c_i . The average value of <J(/|<r c _ j+1 ,/|<r c _ i+ i) is at most 
Pi. By Markov's inequality, with probability at most %pi we have 6(f\ (7c _ i ,f\ (7c _ i ) > 6/2, so p$_|_i < 
| K <i((5/2) c -^ +1 ). D 

Corollary 5.4. If C Q {D — > R} has distance 6 for some $ that is (a, e) -close to c-steps uniform, 
where c = 0(1), then Lift^(C) is (q,r) -locally correctable for q = \D\ C and r = 0(6 C — e — ma). 

6 Base codes 

In this section we review existing codes, in particular the Reed-Solomon code, the Hermitian code, 
and the Hermitian tower code, the latter two which we use in Section 7 to construct new high rate 
locally correctable codes over small alphabets. 

Algebraic geometry codes. The Reed-Solomon and Hermitian codes are instances of algebraic 
geometry codes. Since we can describe our base codes, our lifted codes, and their properties without 
using any terminology typically used in the context of AG codes (e.g. the language of algebraic 
function fields), we avoid using such terminology and stick to an elementary exposition. In fact, 
the only deep results from the theory of algebraic function fields that we use can be stated in 
elementary terms. The interested reader is referred to [11] for details on the theory of algebraic 
function fields and codes. 

6.1 Reed-Solomon code 

Let q be a prime power. The Reed-Solomon code RS g [r] C ¥ q [x]/(x g — x) can be defined as 

RS[r] = span F {x l \ i < r}. 

It is a [q, r, q — r + l] g -code. Note that its alphabet size q = N where iV is its block size. One can 
identify ¥ q [x\/(x q — x) with {¥ q — > F g }. Consider the group $ consisting of all affine permutations 
on Wq, i.e. $ = {x^aj; + 6|a6 ^l,b € F y }, which acts on ¥ q . Clearly RS g [r] is ^-invariant. 
Moreover, $ is doubly transitive (Example 3.5) and |$| = q(q — 1), so it is just large enough to be 
doubly transitive. In [5], it was shown that Lift^(RS f/ [(l — 6)q]) has block length q m , distance at 

least 6 (which also follows from Theorem 4.2), and rate at least 1 — 6 V mmi °s m / when q is a 

power of 2. 

6.2 Hermitian code 

Let q be a prime power. The Hermitian curve H C F 2 2 is the set 

H±{(x,y)\N(x) = Tr(y)} 
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where iV : ¥ q 2 — > ¥ q is the norm N(x) = x 1+q and Tr : ¥ q 2 — > ¥ q is the trace Tr(x) = x + x q . 
It can be shown that N is multiplicative and is a surjective group homomorphism from F* 2 — > ¥* 
(and hence a (q + l)-to-l map on F* 2 ) and that Tr is additive and is a surjective F^-linear map 



<r 



from F f/ 2 — > ¥ q (and hence a q-to-1 map on ¥ q 2). It follows that \H\ = q , since for every x € F 
there are exactly g values of y € F„2 such that Tr(y) = N(x). 



,-_> 



,,- 



The Hermitian code Herm 9 [r] C ¥ q 2[x\/(x q — x,y q — y, N(x) — Tr{y)) is defined as 
Hermjr] = span F {x l y 3 \ qi + (q + l)j < r, j < <?}. 



,2 



It follows from the Riemann-Roch theorem that Herm g [r] is a [q 3 ,r — g, q 3 — r + l] g 2-code, where 

g = fJ ^ 2 - is the genus of the curve H (one can also deduce this by counting the number of 
"degrees" d which cannot be obtained by a sum qi + (q + l)j). Though the Hermitian code has a 
worse rate-distance trade-off than the Reed-Solomon code, its alphabet size is significantly smaller 
(q 2 compared to a block length of q 3 ). 

Consider the group $ of maps (x, y) i-> {ax + b, a q+1 y + ab q x + c) for a € F* 2 , (b, c) G ff . One 
can verify that this a group of order q 3 {q 2 — 1) acting on H and moreover Herm g [r] is ^-invariant. 
For interesting values of r, the group <3? is the largest group under which the Hermitian code is 
invariant [12]. The group $ is not doubly transitive, but it is shown in [1] that it is almost doubly 
transitive, in both the senses of Definitions 3.4 and 3.7. We recall the precise statements. 

Proposition 6.1 ([!, Theorem 6.3]). Let $ be as above. Then <£ is (e,a)-doubly transitive for 
e = i and a = 1 — -. 

q l q 

Proposition 6.2 ([i, Theorem 7.3]). Let $ be as above. Then $ is (a,e)-close to 2-steps uniform 
for a = e = - . 

J q 

In fact, we show in Theorem 6.6 (by letting n = 2) that we can take e = in Proposition 6.2. 
Applying Theorem 4.6 and Corollary 5.4 to the above facts, we immediately get the following. 



Theorem 6.3. Let <I> be the group of automorphisms on H of the form (x,y) i-> (ax + b,a q+1 y + 

). Let r = (1 — 5)q 3 , so 
at least S 2 — — and is (q 6 ,0(5 2 — —))-locally correctable. 



ab q x + c). Let r = (1 — 5)q 3 , so that Herm g [r] has distance 5. Then Lift^ 1 (Herm g [r] ) has distance 



Note that, though the $-lift of Herm (? [(l — 5)q 3 ] has distance roughly 5 2 which is less than that 
of the degree-lift, whose distance is 5 (see [1]), its error correcting capability is the same. 

6.3 Hermitian tower 

The Hermitian tower is an extension of the Hermitian code and was discussed in [10], and also 
used for list decoding constructions in [6]. Let q be a prime power. The nth Hermitian tower curve 
H n C F n 2 is the set 

H n = {(x 1 ,...,x n ) | N(xi) =Tr(x i+1 ) Vi € [n - 1]} 

where the norm N and the trace Tr are as defined above. It is straightforward to verify that 
I H I — a n+1 

\ llr n. — Q 
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Let I n C ¥ q 2[xi, . . . ,x n ] be the ideal generated by x\ — Xj for all i G [n], and let J n C 
F g 2[xi, . . . ,x n ] be the ideal generated by N(xi) — Tr(xj + i) for all i G [n — 1]. The nth Hermitian 
tower code Herm"[r] C ¥ q 2 [x\,..., x n ]/(I n + J n ) is defined as 



Herm™ [r] = span F 2 



^g n_j (g + Vf'Hj < r, Xi < q V« > 2 



i=i 



The genus of the curve is at most ng™, so Herm™[r] is a [c/ 



ra+1 



nq n , q n+1 — r] g 2-code. Though it 



has even worse rate-distance trade-off than the base Hermitian code, its alphabet size is significantly 
smaller for a given block length. 



6.3.1 Constructing endomorphisms 

In this section we will construct a set <3? n acting on H n which will be close to doubly transitive. 
Unlike in the cases of the previous codes, <!>„, is not a group. 



For a G F„a, we define "scalings" o~ a : H n — > H n as follows. For x 



(xi, 



G H n , define 



(o~ a )i(x) = a( q+1 > Xi, and define a a (x) = ((a a )i(x), . . . , (a a ) n (x)). One can verify that the image 
of a a is indeed contained in H n . The identity is o~\ and also a" 1 = a a -i. 

For b = (b±, . . . ,b n ) G H n , we define "translations" r^ : H n — > H n as follows. We will define 
(rb)i for each i G [n] and then define Tb(x) = ((rb)i(x), . . . , (rfe) n (a;)). For each i G [n], define 
(T~b)i(x) = Xi + pi + bi for a specific pi, which is a polynomial in x\, . . . , Xj_i, b±, . . . , fej_i. 

Definition 6.4. The q-weight of a number M is the sum of its digits in base q. The g-weight 



of a monomial x 1 ^ 






is the sum of the g-weights of the exponents. For a polynomial p G 



¥[x±, . . . , x n , j/i, . . .], the (x, q)-weight oi p is the maximum over all monomials of p of the (/-weights 
of the monomial, where only the Xj are considered. 

We will define pi such that it has (x, g)-weight i — 1 for i > 2. Define pi = 0. Assume i > 2 and 
Pi_i (and hence (rfe)j_i) is defined. Expanding N((Tb)i-i(x)), we get 

Nfa-i + pi_i + 6i_i) = iV(a^_i) + JV(pi_i) + Tripl^Xi-! + 6?_iPi-i + Ci^-i) + ^(^-i) 

= rr(xi) + iV(pi_i) + Tr{j)\_ x xi. x + Cl^-l + Ci^-i) + rr(6»). 



Write Pi-i in the form 



Pi-l 



E 



t 3 L 3 



(by arbitrarily singling out a variable from each monomial; one can check by induction that every 
monomial has some x variable) where ij < i—1 and the ol% ■ are polynomials in xi, . . . , Xi— i, 6i, . . . , 6j_i 
with (x, g)-weight at most i — 3. Then 

iV(pi_i) = 5^^( aij .)^(x^) +Tr(pO 

for some polynomial p' in xi, . . . , Xj_i, 6i, . . . , 6j_i of (x, (/)-weight at most i — 2. Also note that 
N(ai.) has (x,g)-weight at most i — 2. Using the fact that 7V(xj.) = Tr(xj.+i), the fact that the 
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image of N is contained in ¥ q , and the fact that Tr is F^-linear, we have 

Nfa-i) = Tr l^ t N(a ij )x ij+1 +p' J . 
Define 

Pi — 5Z N ( a ij) x ij+l + P + Pi-l^i-1 + &i_iPi-l + ^-1^-1 

which has (a;, g)-weight at most i — 1 (since raising to the qth power does not increase g-weight) 
and so 

N(xi-i +Pi-i +6»_i) = Tr(xj +pj + 6i). 

This completes the definition of {jb)i for each i, and hence the definition of r^. By construction, 
the image of tj, is contained in H n . The identity translation is To (one can check that substitution 
b = in pi yields the zero polynomial) . 

6.3.2 Closeness to double transitivity 

For the rest of this section, we will focus on $ n , the set of maps (p a b for (a, b) G F* 2 x H n , where 
fa,b = T b ° o~ a , where a a and tj, are as defined in Section 6.3.1. In particular, we show that $ n is 
close to 2-steps uniform when q is a power of 2. 

Lemma 6.5. Let X be a random variable with values in S of size \S\ = q 2 , and let E be an event 
of probability 1/q. If X\-^ is uniform, then X is --close to uniform. 

Proof. For x € S, let p{x) = Pi[X = x], pe(x) = Pr[X = x \ E], and Pg(x) = Pi[X = x \ E], so 
that p{x) = PE(x)/q + p^(x)(l — 1/q). Then, for any ACS, 

v^ , s \A\ 1 fsr^ , x \A\\ ( 1\ fsr^ , s \ A \\ 

which is bounded in absolute value by -. □ 

•> q 

Theorem 6.6. Assume q is a power of 2. Then <3? n is (-,0)-close to 2-steps uniform. 

Proof. Fix y,z £ H n . We are randomly choosing automorphisms 93, if) € & n and w S H n such that 
<p(x) = y and ijj(w) = (f(w). Write 

ipi(x) = a (<7+1) ' Xi+pi(x,a,b) + bi 

and 

tpi(x) = c (9+1)1 Xi+pi(x,c,d) + di. 

where Pi(x, a, b) does not involve Xj, bj for j > i. The condition <p(y) = z forces 

Zi = Vi{y) = a (9+1) ' yi +pi(y,a,b) + bi 
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which implies 

bi = Zi - a (</+1)! yi-Pi(y,a,b) 

and hence 

tfi(x) = a (g+1) * (%i - yi) + pi(x, a, b) - pi(y, a, b) + Z{ 

The condition ip(w) = (p(w) forces 

c (9+1) ' Wi +pi(w,c, d) +di = a (9+1) * (w - yi) +pi(w,a,b) -pi(y,a,b) + ^ 
which implies 

di = -c^ q+1 > Wi + a> q+1 > (w -yi) -pi(w,c,d) +pi(w,a,b) -pi(y,a,b) + Zi 

and hence 

ipi(x) = c (9+1)l (xi - Wi) + a (g+1)l (wi - yi) - pi(w, c, d) + Pi(w, a, b) - pi(y, a, b) + -Zj. 

Thus we want to show that, for all x € iJ n , if we randomly choose a,c,w then ip(x) is — close 
to uniform on H n . Fix n € -ff n . Let -E be the event that a q+1 = c q+1 , which happens with 
probability -. Observe that the coefficient of Wi in cr Xi (x) is a' 9+ " — c' 9+1 " = a 2% ( q+1 > — 

c 2 ' (9+1) — ( a 9+! — c <?+1 ) 21 for i > 2, since g is a power of 2. If £7 holds, then this coefficient 
is nonzero (since a q+1 7^ c q+1 also implies a 7^ c), and so we can solve tpi(x) = Ui for Wj in terms 
of a,c,y,z,Wi, . . . ,Wi-±, and thus there exists a unique u> € i? n such that VK^) = u i i- e - ^(^ is 
uniform on H n conditioned on E. By Lemma 6.5, ip(x) is --close to uniform on H n . D 

7 Explicit Constructions 

In this section, we describe explicit constructions of high rate locally correctable codes. In Sec- 
tion 7.1 we construct codes by lifting the Hermitian code (see Section 6.2 for the definition of the 
base code) and in Section 7.2 we construct codes by lifting the Hermitian tower (see Section 6.3 for 
the definition of the base code) . 

7.1 Lifting the Hermitian code 

In this section we prove the following. 

Theorem 7.1. Given e,a,No > 0, for infinitely many N > Nq there exists a code of length N, 
rate 1 — a, alphabet size N 6 ' 3 and is (N e ,a °" 8 / e > s ^' e '') -locally correctable. 

We prove this using lifted Hermitian codes. We defer the proof to the end of the section. 

Let m > 1, let q = 2 £ > m, let c > such that I — c > [log 2 m], and let r = (1 — 2~ c )q 3 . 



Let $ be the group of automorphisms on the Hermitian curve H C F 2 of the form (x, y) h-> 



q 2 

(ax + 6, a q+1 y + aWx + c), and let C = Lift$ (Hermjr]). By Theorem 6.3, C has distance 2" 2c - ^ 
and is 0(q e ,0(2~ 2c — — ))-locally correctable. Its length is q 3m and alphabet size is q 2 . The only 
missing parameter is the rate, to which we devote the rest of this section. 
After lifting, the domain of our code is 

H m = {(x!, yi , . . .,x m ,y m ) 6 F^ I N(x k ) = Tr(y k ) VA; G [m]}. 
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A monomial on H m is a monomial of the form HfcLi x% k^k w ^ n ^k < Q 2 and j k < q for all k G [m]. 
The reason for these conditions is to ensure the monomials define distinct functions on H m . In 
fact, one can show the monomials on H m form a basis of {H m — > F^} as a F„2-vector space. 

Definition 7.2. Let p be a prime. Let a, 6 G N and consider their base p representations a = 
^2i >0 ciip' 1 and b = ^2 i>0 bip l where each Oj, bi G [0,p — 1]. Then a is t/ie in i/te p-shadow of b, 
denoted a < p b, if at < bi for all i. Moreover, for a,b,c G N, we say (a, b) < p c if a» + bi < Ci for 
all i. 

The following generalized theorem of Lucas will be crucial for our analysis later. For a + b < c, 
we let ( b a ) denote the standard trinomial coefficient ,, u a '_ b y which is the coefficient of x b y c in the 

expansion of (x + y + l) a . Note that the standard binomial coefficient is (£) = (A) 

Theorem 7.3 ((Generalized) Lucas' theorem). Lei a, 6, c G N wi/i p-ary representations given by 
a>i,bi,Ci. Then 

In particular, (, a c ) mod p is nonzero only if (b, c) < p a. 

Our strategy for lower bounding dimir 2 £ is to lower bound the number of monomials on H m 

in C For a monomial f(x\,yi, . . . ,x m ,y m ) = YYk=i x% kVlt an< ^ a ma P ° e ^ m wnere a k( x iV) = 
(a k x + 6fc, a q k + y + a k b\x + Ck), we have 



f(o-(x,y)) = \(a k x + b k y k (a q k +1 y + b q k x + c k 



.it, 



fc=i 



fe=i 




[( E (•••)^ fc E (-)^i/ 

/ \«,efc)<pjfc 



Vfc d k <pi k ,(d' k ,e k )< p j k 

where the (• • • ) indicate constants which do not matter. Thus, the monomial / is in C if the 
following holds: for all k G [m], for all d k < p i k and all (d' k ,e k ) < p j k , after reducing the monomial 
x i-<k=i d k+ d k yT,k=i e k modulo the ideal / = (x q — x,y q — y,x q+1 — y q — y), the resulting sum of 
monomials x l yi all satisfy qi + (q + l)j < r. The basis of monomials on H given by x % y 3 with i < q 2 
and j < q provides a canonical way to reduce monomials modulo /. To reduce x l y :! , we perform the 
following steps. While i > q 2 or j > q, if i > q 2 , reduce x l y^ to x l ~ q +1 y J ; if j > q, reduce x l y^ to 
x i+q+iyj-q _ x iyj-q+i ^ eac h s tep, either the degree of x is strictly decreasing or the degree of y 
is strictly decreasing, and the degree of y never increases, so this process will eventually terminate. 

Lemma 7.4. For a G N, let a,i denote the ith bit in the binary representation of a, i.e. a = 
J2i>o a i 2 '- Letb = 2+ |~log 2 m] . Let 

Good = {(n, . . . ,i m ,ii, . . . , j m ) \3se[2£-c,2£-b- 1] Vt G [0, 6] Vfc (»*),+* = (J fc ) s+t = 0}. 

If (it,... ,i m ,ji, ■ ■ ■ ,3m) G Good, i/ien FJfcLi ^J/fc* € Lift$(C). 
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Proof. For a € N, the condition a < r = (1 — 2~ c )(/ 3 is equivalent to the condition 3s' € [3£— c, 3^—1] 
such that <v = 0. For each k € [to], fix dk < p ik and (d' k ,ek) < P Jfc- The hypothesis implies 
that (dk) s +t — (^fc)s+* = ( e fc)s+t = for all t € [0,6]. It suffices to show that after reducing 
x 2-^k=i d k+ d ky^k=i e k modulo / into a sum of monomials x l yi with i < q 2 and j < q, each of them 
satisfies (i)t = (j)t = for some t G [21 — c, 2£ — 1], for this would imply 

(«* + (9 + l)iW = (?*)t+* + ((? + i)i)t+^ = («)< + (J)t = o 

and since t + ^ £ [3£ — c, 3^ — 1] this implies the lemma. 

Let d = Ylk=i dk + d' k and let e = Y^k=i e k- Consider three cases. 

Case 1. d < q 2 , e < q. In this case, the monomoial x y e does not reduce, so it suffices to 
show that (d) s+ t, = (e) s+ b = 0. The only way one of these is 1 is by carrying from the lower 
order bits, so we may ignore the higher order bits and assume without loss of generality that 
(4)y = (4)-' = (e*)-' = for s' > s + 6. Then d k ,d' k , e k < 2 s , so £Li 4 + df k < (m2 s+1 ) < 2 s+b 
and thus (d) s+ b = and similarly Ylk=i e k < m 2 s < 2 s+b so (e) s+ b = 0. 

Case 2. d > q 2 , e < q. In this case, the monomial x d y e reduces to x dmod ( q ~ 1 'y e . By the 
previous case, {e) s+ b = 0, so it only remains to show (d mod (q 2 — l)) s +b = 0. Doubling d cyclically 
permutes the bits of d mod (q 2 — 1). In particular, (2d mod (q 2 — l))i = (d mod (g 2 — l))j-i mod 3^-1- 
Then (2 3e ~ 1 ~ s ~ b d mod (q 2 — l))j = (d mod (g 2 — l))i +s+ b+i-3e- Therefore, it suffices to show that 
(2 3i ~ 1 ~ s ~ b d mod (q 2 — l))3^_i = 0. Since the bits of order [s,s + 6] of d k ,d' k are zero, the bits 
of order [3£ - 1 - b,3£ - 1] of 2 3 ^~ 1 ~ s ~ 6 times dk,d' k ,ek are zero, hence 2 u ~ l ~ s ~ h dk mod (g 2 - 
1) < 2 u ~ 1 ~ b and similarly for d' k . Therefore Y%=\ 2 3£ - 1 " s - 6 (4 + 4) mod (g 2 - 1) < 2^^ so 
(2 3 ^- 1 - s - 6 d mod (q 2 - l))«_i = 0, and in fact (2^- 1 " s - fe d mod (<? 2 - 1)) M _ 2 = 0, so we can 
conclude that (d mod (q 2 — l))3^-i = (d mod (q 2 — l))3£-2 = 0, which we need in Case 3. 

Case 3. e > q. We induct on the (q,q + l)-weighted degree qd + (q + l)e. In this case, after 
reducing the y-degree by one step, the monomial reduces to x d+q+l y e ~ q — x d y e ~ q+l . The latter 
monomial has strictly smaller (q, g + l)-weighted degree, so by induction it is in C. Thus it suffices to 
deal with x d+q+l y e ~ q . Repeating this reduction and ignoring the monomials with strictly smaller 
(q, q + l)-weighted degree, after at most to reductions (since e^ < q and so e < mq) we have 

x d+u(q+l) y emodq for SQme u < m ^ w hi c h further reduces to ^^Mg+l) mod (g 2 -l) y emod g_ Thig j g 

almost Case 2, except for the additional u(q + 1) in the exponent of x. By Case 2, (d mod {q 2 — 
l)) s+ b_i = (d mod (q 2 — l)) s +6 = and (e mod g) s+ (, = 0. Note that since [log 2 to] < £ — c, 
u(g + l) < TO(g+l) < 2 2£ - c + 2^ c < 2 S+1 . Write d mod (<? 2 -l) as d' + 2 s+b+l d" where d! < 2 s+b ~ 1 . 
Thend+u{q+l) mod (<? 2 -l) = d'+u{q+l)+2 s+b+l d" < 2 s+b ~ l +2 s+l +2 s+b+1 d" < 2 s+b +2 s+b+1 d" 
so (d+u(q + 1) mod (q 2 - l)) s+b = 0. □ 

Lemma 7.5. Zei Good be defined as in Lemma 7.4- Let 6 = 2+ [log 2 TO,]. Then 

|Good| > q 3m (l - (1 - 2~ mb ) c ' b ). 

Proof. We show the equivalent assertion that, by picking i\, . . . ,i m < q 2 and ji,...,j m < 1 uni- 
formly at random, the probability that (i±, . . . , i m ,ji, ■ ■ ■ ,j m ) £ Good is 1 — (1 — 2~ mb ) c ' b ) at least. 
Note that each j^ < q so we only need to consider the i& . Partition [3£ — c,3£ — 1] into c/b intervals 
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each of length 6. Let E{ be the event that (ik)t = for all k G [m] and all t in the ith. interval. By 
Lemma 7.4, if \/ { E{ then (ii,..., i m ,jx, ■ ■ ■ ,j m ) G Good, so the probability of landing in Good is 
at least 



Pr 



i 



1-Pr 



A^ 



i _ (i _ 2 - mb y/ b . 



D 



Putting together Lemmas 7.4 and 7.5 with the discussion above, we immediately obtain the 
following. 

Theorem 7.6. Let m > 1, let c > and /ei 6 = 2~ c . Let q be a power of 2 such that 5q > m, and 
let r = (1 — 5)q 3 . Let <£ be the group of automorphisms on the Hermitian curve H C F 2 2 of the 
form (x, y) i— > (ax + 6, a q+1 y + a6 9 x + c) and /ei C = Lift $ (Herm g [r] ) . Lei 6 = 2+ |~log 2 m] . Tften 
i/ie rate of £ is at least 1 - (1 - 2" m6 ) c / fe > 1 - e - c l^ mb ) . 

Putting everything together, we now prove Theorem 7.1. 

Proof of Theorem 7.1. Fix e,a,No > 0. Recall that we want, for infinitely many N > Nq, a code 
of length N, rate 1 — a, alphabet size N e ' s , and is (N e , fi(l))-locally correctable. 

Set m = [2/e] . Let 6 = 2+ [log 2 m] and set c > 6-2 mfe In ^. Let 5 = 2~ c , set q to be a power of 2 
such that 5q > m and g 3m > iVo- Set N = g 3m and set r = (1— o~)g 3 . Let £ = Lift^(Hermq[r]) where 
$ is the usual automorphism group of the Hermitian curve H C F^ 2 • By our choice of parameters 

and Theorem 7.6, L has block length q 3m = N, rate at least 1 — e - c / b2m > 1 — a, alphabet size 
q 2 < N e < 3 , has query complexity g 6 < N e , and can correct up to 5 2 = cP^' e > /E ^sl 1 / 6 )). 

D 

Explicitness of code. Although a lifted code is not a priori explicit even if the base code 
is, Lemma 7.4 shows that the lifted Hermitian code (more accurately, a subcode with the same 
parameter guarantees) is explicit in the following way. Let Good be defined as in Lemma 7.4. 
The F„2-span of monomials in Good have the same rate guarantees as the full lift, its block length 
and alphabet size and locality are the same, and certainly its distance is at least as good, since 
it is a subcode. Moreover, to encode a message m G F*^ 00 * 1 into a codeword Enc(m) G ¥ H 2 m , first 
compute all the monomials in Good, which can be done by iterating over every monomial on H m 
and checking if it is in Good, which can be done in polynomial time. Then interpret the symbols of 
m as coefficients of the monomials in Good and let Enc(m) be the evaluations of m on every point 
of H m . 

7.2 Lifting the Hermitian tower 

Let m, n > 1, let q = 2 e , let k > 0, and let r = (1 — 2~ K )q n+1 , so that Herm™[r] has distance 2~ c . 
Let $ = <!>„ be the set of maps defined in Sections 6.3.1 and 6.3.2, and let C = Lift^(Hernig [r]). By 
Theorems 4.6 and 6.6, C has distance 2~ 2k - ^ and is 0{q 2( - n+1 \ 0(2~ 2k - ^))-locally correctable. 
Its length is q m \ n+l ) and alphabet size is q 2 . The only missing parameter is the rate, to which we 
devote the rest of this section. 
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7.2.1 Warm up: lifting from the 3rd level 



As a warm up, we estimate dimp 2 C when n = 3. As in Section 7.1, we consider monomials on 



H™, which have the form 



in 




k=l 

where ctk < q 2 , bk,Ck < q for all k G [m]. Also as in Section 7.1, we lower bound dimp 2 £ by 
lower bounding the number of monomials on H™ in C. We consider what happens to a monomial 

\Xk=i x k k yk z k k wnen we substitute (xk,yk, Zk) *-> <p^ '(x, y, z) for some (p = {^ l \ ■ ■ ■ , ip( m ') G <3? m . 
Though we may explicitly write out <p a ,b(x , y , z) , the constants do not matter, only the monomials 
that appear. For instance, though we know that (ip a ,b)i(x, y, z) = ax + b\, for our purposes it only 
matters that it takes the form (■■■)» + (■■■) where the (• • • ) denote constants that do not matter. 
Similarly, we have 

(<Pa,bh(x,y,z) = (■■■)x + (---)y + (■■■) 

{<p a , b ) 3 (x,y,z) = (■■■)x + (---)y + (---)z + (---)x q y + (---) 

so substituting ip( k \x,y, z) for (x k ,yk,Zk) in J]fcLi x< k Vk z t k > we § et 

)au / \ bu / \ Ci. 

{(■■■)x + (---)y+ (•••)) ((-)* + (•••)* + (•••)* + (•••)««V + (•••)) 

(•••)^ fc ) ( J^ (•••K' fc / fe ) ( Yl {■■■)x< +q5k y^ +Sk z^ 

(. . . ) x Er=i * k +<+<+iS ky Y. k li 0k+P' k +s hz ET=i 7^ . 

Vfc 
ct k <.pa k 

(<x' k ,/3 k )< p b k 

( a k >@ k > S k,lk)< P c k 

Thus, the monomial ni-Li ^k^k^k * s ™ ^ ^ ^he following holds: for all k G [m], for all a& < p a^, 
all (a' k , Pk) <p &fc] and all (a'^.,/3' k , 8k, Ik) <p C&, after reducing the monomial 

modulo the ideal I = 1% + J% (defined in Section 6.3), the resulting sum of monomials x a y z c all 
satisfy q 2 a + q(q + 1)6 + (q + l) 2 c < r. The basis of monomials on H$ given by x a y b z c with a < q 2 , 
b,c < q induces a canonical way to reduce monomials modulo /. To reduce x a y z c , perform the 
following steps. While a > q 2 or b > q or c > q, if a > q 2 , replace x a with x a ~ q +1 ; if b > q, replace 
y q with x q+1 — y; if c > q, replace z q with y q+1 — z. The maximum (q 2 ,q(q + 1), (q + l) 2 )-weighted 
degree of monomials is nondecreasing after each step, and moreover the weight is shifted towards 
z — >• y — > x, so this process will eventually terminate. 

Lemma 7.7. For a G N, let a% denote the ith bit in the binary representation of a, i.e. a = 
Y^i>o a i^- Let b = 0(1) + [log 2 rn\ where the 0(1) is a sufficiently large constant. Suppose 
£ > m + k + 0(1) for sufficiently large 0(1). Define Goods t° be the set 

{(ai,...,a m ,0i,...,o m ,ci,...,c fc ) I 3s G [2£-K,2£-b-l] Vt G [0,6] Vk (a k ) s +t = (c k ) s +t-e = 0}}. 

If (ax,... ,a m ,bi,...,b m ,a,...,c m ) G Good 3 , then f]£Li x k°yk z k° G £■ 
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Proof. Fix ctfc < p a,k, (a' k ,/3 k ) < p bk, and (a'^fi^Sk^k) < P Cfe for all k 6 [m]. Similar to the proof 
of Lemma 7.4, it suffices to show that, after reducing 

modulo I into a sum of monomials x a y z c with a < q 2 , b,c < q, each of them satisfies (a) s +b = 
(fc) s+ 6 = (c) s+fe = 0. By assumption, 

(a k )s+t = (a'k)s+t = (a'Ds+t = (Pk)s+t = (flk)s+t = (5k)s+t = (7fc)a+t = ° 

for all k £ [m] (recall that bk,Ck < q). As the details are similar to the proof of Lemma 7.4, we 
omit many details from this proof. 

Let a = YT=i a k + a 'k + a k + Q&k, let (3 = Y%Li Pk + P' k + fa and let 7 = Ylk=i Ik- If 
a < q 2 , /3,7 < q, then x a y l3 z' y does not need to be reduced, and one can verify that (a) s+ i, = 
(/3) s +6 — (7)s+fo = 0. If a > g 2 , then we simply reduce to x a mo ' 9 ~ 1 'y^z 1 and as long as 
6 is sufficiently large, say 6 = 3+ [~log 2 m,] (since a is the sum of Am numbers). If /3 > q, 
then x a y^z 1 reduces by one step to x a + q — \y^ — qz 1 — x a y /3 ~ q+1 z' y . By induction on the 
{q 2 ,q{q + 1), (q + l) 2 )-weighted degree q 2 a + q(q + l)/3 + (q + 1) 2 7, it suffices to consider the 
monomial x a+q+1 y /3 ~ q z' y . Repeating this reduction, we are left with x a+u ( q+l >yP mod q z 1 for u < 3m, 
since the (3 < 3mq, and by a similar argument to Case 3 in the proof of Lemma 7.4, we have 
(a + u(q + 1) mod (q 2 — l)) s +& = (/? mod q) s +b = {l)s+b = 0. Finally, if 7 > q, we reduce as we did 
for /3 > q, and by a similar argument we are done, by increasing b by a sufficiently large constant 
independent of q and m. □ 

Lemma 7.8. Let b and Good3 be defined as in Lemma 7.7. Then 

|Good 3 | > q irn {\ - (1 - 2- 2mh ) K l b ). 

Proof. Same idea as the proof of Lemma 7.5. □ 

Putting together Lemmas 7.7 and 7.8, we obtain the following. 

Theorem 7.9. Let m > 1, let k > and let 5 = 2~ K . Let q be a power of 2 such that 5q > 
Q(m) for sufficiently large constant inside the Q, and let r = (1 — 5)q 4 . Let § = <3?3 and let 
£ = Lift^ (Hernig[r]). Let b = 0(1) + |~log 2 m~\ for sufficiently large 0(1). Then the rate of £ is at 
l east 1 _ (1 _ 2-imb^/b > 1 _ e -n/b2^\ 

In particular, to achieve query complexity N e and rate 1— a, take m = [2/e] , c = [&2 2 ln(l/a)] , 
5 = 2~ c , and q such that g 4m = N. We are left with error correction rate 5 2 = cP^°( l ' e > € ^sv 1 / 6 )) 
and alphabet size iV e ' 4 . 

7.2.2 Beyond the 3rd level 

Now we consider the case for general n. As the n = 3 case contains the essential ideas behind the 
general case, we will omit many details in our analysis for general n. Again, we consider monomials 
on H™, which have the form 



nn- 



r 3 
C jk 

k=lj=l 
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where for all k G [m], i± k < q 2 and ij k < q for all j G [2,n]. We lower bound dim^ 2 C by lower 
bounding the number of monomials on H™ in C. We would like to consider what happens to a 
monomial when we substitute 

(x lk ,...,x nk ) i-» (p( k) {xi,...,x n ) 

for some ip = ((/?', • • • , (p( m >) G $ m . Again, we only care about the monomials that appear in 
the <p- . However, as n grows, the polynomial (ip a ,b)n becomes increasingly complicated, with 
increasingly many monomials of increasing higher degree. Thus, we will not be able to get a very 
good lower bound on the rate of C, though it will be constant if m and n are constant. 

Lemma 7.10. For a G N, let a>i denote the ith bit in the binary representation of a, i.e. a = 
^ i>0 aj2\ Let b = 0(n) + [log 2 ?n] where the 0(n) is a sufficiently large constant times n. Define 
Good n to be the set of (ijk)j£[n],ke[m] such that there exists s G [2£ — k, 2£ — b — 1] such that for 
all t G [0, b] and for all k G [m], (i lk ) s +t = and (i jk ) 8+t _ e = for j G [2, m]. If (ijk)je[ n ],ke[m] € 
Good n , then Y\T=i lYj=i x ] j k € C - 

Proof. The proof is essentially the same idea as the proof of Lemma 7.7 so we omit the details. 
The key point is that the </r- have (x, g)-weight (see Definition 6.4) at most n, so when expanding 
out 

m n 

HH^f\x 1 ,...,x n ))^ 

k=lj = l 

into a sum 

n 

£(->rR 

each ij is the sum of n P^-'m terms. Thus, we need to b to be on the order of the logarithm of that, 
or 0(n) + |~log 2 m] . □ 

Lemma 7.11. Let b and Good n be defined as in Lemma 7.10. Then 

|Good„| > q( n+1 ) m (l - (1 - 2 - nmb ) c l b . 

Putting together Lemmas 7.10 and 7.11 we obtain the following. 

Theorem 7.12. Let m > 1, let k > and let 5 = 2~ K . Let q be a power of 2. Let r = (1 — 5)q n+1 . 
Let <£ = <!>„ and let C = Lift^ (Herm^ [r] ) . Let b = 0(n) + [~log 2 m~\ for 0(n) a sufficiently large 
constant times n. Then the rate of C is at least 1 - (1 - 2~ nmb ) K / b > 1 — e~ K / 62 " 



-ynmb 



To achieve query complexity N e and rate 1 — a, take m = \2/e~\ , k = \b2 nmb ln(l/a)l ,5 = 2 K , 
and q such that q( n+l ) m = N. "We are left with error correction rate 8 2 = a (°( n ' e ' " ' lo &( l / € )> and 
alphabet size N e ^ n+1 \ 

Remark 7.13. The observative reader may notice a discrepancy between the bounds for the general 
n case and for the specific cases n = 2 and n = 3. Ln particular, for query complexity N e and rate 
1 — a, our bound for the error correction rate for general n is a ^°^ n ' e ' ' E kwA) whereas our 
specific bounds for n = 2 and n = 3 suggest a bound of a ( ( n ' e ' e tosl 1 / 6 )). i n fact, this latter 
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bound holds — in our definition of Good„, we do not need (i2k)s+t—t = for any k G [771] as long 
as we take £ — (m + k) to be sufficiently large. The reason is that (ip a ,b)2( x ) = a q+1 X2 + ab\x2 + 62 
is an affine map, unlike (<p a ,b)j for j > 3. Consequently, when expanding out 



jk 



into a sum 



nim k) ( X1 ,...,x n )y. 
k=ij=i 

n 

B-)IW 

i=i 
the term ij is the sum degrees in the p-shadow of iji- and also q times degrees in the p-shadow of ij%, 
except when j = 1 or j = 2. Thus, the fact that the <p have high degree prevents us from obtaining 
a bound like a (°("/ 6 ) logUA))^ which would mean our constructions drastically improve with 
each increment in n, for sufficiently small e. 

Remark 7.13 motivates the search for tower codes which admit an automorphism group that 
is close to doubly transitive. However, it seems difficult to find function field towers correspond- 
ing to Riemann-Roch spaces over one-point divisors which admit large automorphism groups. A 
well-known tower, the Garcia-Stichtenoth tower [3, 4], is defined by the points (xi, . . . ,x n ) G F" 2 
satisfying 

Tr(x i+1 ) = pp\ ViG[l,n-l]. 

Tr(xi) 

It is shown in [8] that the only automorphisms of the code stabilizing the pole divisor is the group 
corresponding to "scaling" by a G F* for various a. 

8 Conclusion 

In this work, we presented a general framework for constructing high rate locally correctable codes. 
Our framework is an abstraction of affine lifting [5], automorphic lifting [1], and high-degree lift- 
ing [1]. We showed that the lift of a code with good distance with respect to some $ that is close to 
doubly transitive also has good distance, and moreover this holds even when the base code is not 
invariant under $ or when <J> is not a group. We showed how one can generalize the construction 
of the lifted Reed-Solomon code of [5] to lift other algebraic geometry codes, such as the Hermitian 
code and the Hermitian tower, the latter with respect to a hand-crafted non-group $, to obtain 
locally correctable codes that can attain query complexity N e and rate 1 — a while correcting a 
constant fraction of errors, for any given e, a > 0. 

We believe the lifting framework deserves further study. Lifted codes naturally have good 
locality properties. A natural direction to explore the local testability of lifted codes. A local tester 
is given oracle access to a word / and must distinguish whether / G C or 5(f,C) > e for some given 
constant e > 0. The work of [5] shows that affine lifting naturally yields affine-invariant locally 
testable codes. An interesting question is whether lifting algebraic geometry codes yields locally 
testable codes, and what kind of assumptions on $ are necessary (for example, that the base code 
is ^-invariant or that $ is a group). In fact, [ r >] shows that both local correct ability and local 
testability follows generically from affine lifting. In our work, local correctability follows generically 
from lifting — the instantiation of algebraic geometric base codes is only used to analyze the rate. 
It would be interesting to see if local testability follows generically from lifting as well. 
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